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Abstract We present novel perfect secrecy systems 
that provide immunity to spoofing attacks under equi- 
probable source probability distributions. On the theo- 
retical side, relying on an existence result for t-designs 
by Teirlinck, our construction method constructively 
generates systems that can reach an arbitrary high level 
of security. On the practical side, we obtain, via cyclic 
difference families, very efficient constructions of new 
optimal systems that are onefold secure against spoof- 
ing. Moreover, we construct, by means of ^-designs for 
large values of t, the first near-optimal systems that are 
5- and 6-fold secure as well as further systems with a 
feasible number of keys that are 7-fold secure against 
spoofing. We apply our results furthermore to a re- 
cently extended authentication model, where the op- 
ponent has access to a verification oracle. We obtain 
this way novel perfect secrecy systems with immunity 
to spoofing in the verification oracle model. 
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1 Introduction 

Perfect secrecy systems (or codes) play a prominent role 
in information theory and cryptography. In terms of in- 
formation theoretic security, these systems shall ensure 
protection of the confidentiality of sensitive informa- 
tion in the presence of eavesdropping. The information 
theoretic, or unconditional, security model does not de- 
pend on any complexity assumptions and hence cannot 
be broken given unlimited computational resources. A 
well-known example of a perfect secrecy system is Ver- 
nam's One-time Pad. In his landmark paper "Com- 
munication theory of secrecy systems" [23], Shannon 
established a fundamental characterization of optimal 
perfect secrecy systems: A key-minimal secrecy system 
achieves perfect secrecy if and only if the encryption 
matrix is a Latin square and the keys are used with 
equal probability. Important generalizations have been 
obtained since then (see, e.g., [11,26,27]). In addition to 
the concept of perfect secrecy, various scenarios require 
that the systems provide robustness against spoofing 
attacks. Concerning the aspect of authenticity, the in- 
tegrity of information that is communicated via a po- 
tentially insecure channel shall be assured. Often such 
constructions involve a variety of tools from combina- 
torics (see, e.g., [13,15,16,20,26]). 

In this paper, we present novel perfect secrecy sys- 
tems that provide immunity to spoofing attacks un- 
der equiprobable source probability distributions. In 
the past decades various perfect secrecy systems have 
been constructed that offer zero (like Vernam's One- 
time Pad) or onefold security against spoofing. Recently, 
in [13], the first infinite classes of optimal perfect se- 
crecy systems that achieve twofold security have been 
constructed as well as further optimal systems that offer 
up to 4-fold security against spoofing under cquiproba- 
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ble source probability distributions. This has been 
achieved by means of particular Steiner i-dcsigns, e.g., 
the famous 5-(12, 6, 1) Witt design. However, as Steiner 
i-dcsigns are not known to exist for t > 5, the level of 
security cannot be augmented any further via this ap- 
proach. In the present paper, we develop a more general 
construction method, which allows us to use i-designs 
for higher values of t under equiprobable source prob- 
ability distributions. On the theoretical side, relying 
on Teirlinck's existence result for i-designs [28], our 
method constructively generates systems that can reach 
an arbitrary high security level. On the practical side, 
by using cyclic difference families, we give very effi- 
cient constructions of new optimal systems that are one- 
fold secure against spoofing. By employing t-designs for 
large values of t, we also present the first near-optimal 
systems that are 5- and 6-fold secure as well as further 
systems with a feasible number of keys that are 7-fold 
secure against spoofing. Moreover, we apply our results 
to an extended authentication model, where the op- 
ponent has access to a verification oracle. This model, 
which has been recently introduced and investigated 
in [1,21,29,30], allows a more powerful pro-active at- 
tack scenario. The opponent may send a message of the 
opponent's choice to the receiver and observe the re- 
ceiver's response whether or not the receiver accepts it 
as authentic. This can be modeled in terms of a verifica- 
tion oracle with an online/offline variant that provides 
a response to a query message in the same way as the 
message would be accepted or not by the legitimate re- 
ceiver. We obtain this way novel perfect secrecy systems 
with immunity to spoofing attacks in the verification 
oracle model. 



The organization of the paper is as follows: The un- 
derlying information theoretic Shannon-Simmons model 
is given in Section 2. Section 3 introduces background 
material on combinatorial structures that is important 
for our further purposes. Section 4 presents a short 
overview of known constructions of perfect secrecy sys- 
tems that provide robustness against spoofing attacks. 
In Section 5, a general construction method is devel- 
oped and we examine the level of security from a theo- 
retical point of view. The subsequent two sections deal 
then with the practical side: we give explicit construc- 
tions of optimal systems with onefold immunity to spoof- 
ing in Section 6, and of near-optimal and other feasible 
systems with multifold immunity in Section 7. In Sec- 
tion 8, we apply our constructions to the verification 
oracle model. The paper is concluded in Section 9. 



2 The Shannon Simmons Model 

We rely on the information theoretic (or unconditional) 
secrecy model developed by Shannon [23] , and by Sim- 
mons (e.g., [24,25]) including authentication. Our no- 
tation follows, for the most part, that of [19,26]. In this 
model of authentication and secrecy three participants 
are involved: a transmitter, a receiver, and an opponent. 
The transmitter wants to communicate information to 
the receiver via a public communications channel. The 
receiver in return would like to be confident that any re- 
ceived information actually came from the transmitter 
and not from some opponent (integrity of information). 
The transmitter and the receiver are assumed to trust 
each other. This is known as an authentication system 
(or authentication code, A-code). 

In what follows, let S denote a set of k source states 
(or plaintexts), M. a set of v messages (or ciphertexts) , 
and £ a set of b encoding rules (or keys). Using an en- 
coding rule e £ £, the transmitter encrypts a source 
state s £ S to obtain the message m = e(s) to be sent 
over the channel. The encoding rule is an injectivc func- 
tion from S to Ai, and is communicated to the receiver 
via a secure channel prior to any messages being sent. 
For each encoding rule e £ £ , let M(e) := {e(s) : s £ S} 
denote the set of valid messages. A received message 
m will be accepted by the receiver as being authentic 
if and only if m £ M(e). When this is fulfilled, the re- 
ceiver decrypts the message m by applying the decoding 
rule e _1 , where 

e _ (m) = s e(s) = m. 

An authentication system can be represented algebrai- 
cally by a (b x k)-encoding matrix with the rows in- 
dexed by the encoding rules, the columns indexed by 
the source states, and the entries defined by a es := e(s) 
(1 < e < b, 1 < s < k). 

Concerning authenticity, we address the following 
scenario, called spoofing attack of order i (cf. [19]): Sup- 
pose that an opponent observes i > distinct mes- 
sages, which are sent through the public channel using 
the same encoding rule. The opponent then inserts a 
new message m' (being distinct from the i messages al- 
ready sent), hoping to have it accepted by the receiver 
as authentic. The cases i = and i = 1 arc called im- 
personation game and substitution game, respectively. 
These cases have been studied in detail in recent years, 
whereas less is known for higher orders. 

For any i, we assume that there is some probabil- 
ity distribution on the set of i-subsets of source states, 
so that any set of i source states has a non-zero prob- 
ability of occurring. For simplification, we ignore the 
order in which the i source states occur, and assume 
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that no source state occurs more than once. Given this 
probability distribution's on S, the receiver and trans- 
mitter choose a probability distribution pe on £ (called 
encoding strategy) with associated independent random 
variables S and E, respectively. These distributions are 
known to all participants and induce a third distribu- 
tion, pm, on M. with associated random variable M. 
The deception probability is the probability that 
the opponent can deceive the receiver with a spoohng 
attack of order i. Combinatorial lower bounds can be 
given as follows (cf. [19]). 

Theorem 1 (Massey) In an authentication system 
with k source states and v messages, for every < i < t, 
the deception probabilities are bounded below by 



An authentication system is called t-fold secure 
against spoofing if P^ = (k — i)/(v — i) for all < i < t. 
The following theorem (cf. [19,22]) establishes a combi- 
natorial lower bound on the number of encoding rules 
for this kind of attack. 

Theorem 2 (Massey— Schobi) If an authentication 
system is (t — I) -fold against spoofing, then the number 
of encoding rules is bounded below by 



Such a system is called optimal if the number of 
encoding rules meets the lower bound with equality. 

Concerning secrecy, we recall Shannon's fundamen- 
tal idea of perfect secrecy (cf. [23]): An authentication 
system is said to have perfect secrecy if 

Ps(s\m) = p s (s) 

for every source state s £ S and every message m £ A4. 
That is, the a posteriori probability that the source 
state is s, given that the message m is observed, is iden- 
tical to the a priori probability that the source state is 
s. From Bayes' Theorem follows that 

, , > Y,{ee£:e(s)=m}PE(e)ps(s) 

ps(s\m) = = —■ — - 

T,{ee£:meM(e)}PE{e)ps{e (to)) 

This yields: 

Lemma 1 (Stinson) An authentication system has per- 
fect secrecy if and only if 

^2 PE ^ = PE{e)ps(e^ 1 {m)) 

{ee£:e(s)=m} {ee£:mSM(e)} 

for every source state s G S and every message to £ M. 

Therefore, if the encoding rules in a system are used 
with equal probability, then a given message to occurs 
with the same frequency in each column of the encoding 
matrix. 



3 Combinatorial Structures 

We give in this section some background material on 
combinatorial structures that is important for our fur- 
ther purposes. Let us assume that t < k < v and A are 
positive integers. 

Definition 1 Let G be a finite additive Abelian group 
of order v. A difference family DF(w, k, A) over G is a 
family T = {D\, ...,£>;} of subsets of G, satisfying the 
following properties: 

(i) \Di\ = k for all i with 1 < % < I, 

(ii) the multiset union 

l 

[J{x -y : x,y £ A, x ^ y} 

i=l 

contains every nonzero element of G exactly A times. 

The sets D-y, , . , ,Di are called base blocks. A differ- 
ence family with a single base block is called a differ- 
ence set. A DF(i>, k, A) with G isomorphic to the cyclic 
group C v of order v is called a cyclic difference family 
and denoted by CDF(w, k, A). 

We recall the notion of authentication perpendicular 
arrays. These combinatorial structures are generaliza- 
tions of Latin squares. 

Definition 2 An authentication perpendicular array 
APAa(£, k, v) is a X(Z) x k array, A, of v symbols, which 
satisfies the following properties: 

(i) every row of A contains k distinct symbols, 

(ii) for any t columns of A, and for any t distinct sym- 
bols, there are precisely A rows r of A such that the 
t given symbols all occur in row r in the given t 
columns, 

(iii) for any s < t — 1 and for any s + 1 distinct sym- 
bols {xi}i=l, it holds that among all the rows of A 
that contain all the symbols {xi} S jX\i the s symbols 
{ x i}f=i occur in all possible subsets of s columns 
equally often. 

We present a simple example (due to van Rees, 
cf. [27]): 

Example 1 A 55 x 3 array A can be constructed by 
developing the five rows 

1 2 
09 7 

03 6 

04 8 
5 10 
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modulo 11. Every pair {x\,X2} occurs in three rows of 
A. Within these three rows, x\ occurs once in each of 
the three columns, as does x%. This gives an 
APAi(2,3,ll). 

We recall furthermore the definition of combinato- 
rial t-designs. 

Definition 3 A t-(v, k, A) design T> is a pair (X, B), 
which satisfies the following properties: 

(i) A" is a set of v elements, called points, 

(ii) B is a family of fc-subsets of X, called blocks, 

(iii) every t-subset of X is contained in exactly A blocks. 

We will denote points by lower-case and blocks by 
upper-case Latin letters. Via convention, let b := \B\ 
denote the number of blocks. Throughout this work, 
'repeated blocks' are not allowed, that is, the same 
fc-subset of points may not occur twice as a block. If 
t < k < v holds, then we speak of a non-trivial t-design. 
For historical reasons, a t-(v, k, A) design with A = 1 is 
called a Steiner t-design (sometimes also a Steiner sys- 
tem). If V = (X, B) is a t-(v, k, A) design with t > 2, 
and x £ X arbitrary, then the derived design with 
respect to x is T> x = (X X ,B X ), where X x = X\{x}, 
B x = {B\{x} : x S B £ B}. In this case, V is also called 
an extension of T> x . Obviously, T> x is a (t — 1)- 
(v — 1, k — 1, A) design. 

For the existence of t-designs, basic necessary con- 
ditions can be obtained via elementary counting argu- 
ments (see, for instance, [2]): 

Lemma 2 Let V = (X, B) be a t-(v, k, A) design, and 
for a positive integer s < t, let S C X with \S\ = s. 
Then the number of blocks containing each element of 
S is given by 

rv-s\ 

^ _ < \t-sl 

s (5T 

In particular, for t > 2, a t-(v, k, A) design is also an 
s-(v, k, A s ) design. 

It is customary to set r :— X\ denoting the number 
of blocks containing a given point. It follows 

Lemma 3 LetV = (X,B) be a t-(v, k, A) design. Then 
the following holds: 



(a) bk = vr. 




(c) r(k - 1) = X 2 (v - 1) fort> 2. 



The next result (cf. [26]) uses t-designs in order 
to construct authentication perpendicular arrays. Fur- 
ther similar recursive constructions have been obtained 
in [31]. 

Theorem 3 (Stinson Teirlinck) Suppose there is a 
t-(y, k, A) design and an authentication perpendicular 
array APAy(t,k,k), then there is an APA\.\i(t,k,v). 

Concerning the existence of t-designs, a seminal re- 
sult by Teirlinck [28] shows that there exist non-trivial 
t-designs for all possible values of t. 

Theorem 4 (Teirlinck) For given integers t and v 
with v = t (mod (t + l)! 2t+1 ) and v > t + 1 > 0, there 
exists a t-(v,t + 1, (t + l)! 2t+1 ) design. 

Tcirlinck's recursive construction methods are con- 
structive. However, for a given t, they result in t-designs 
with extremely large values for v and A. For exam- 
ple, the smallest parameters for the case t = 7 arc 
7-(40320 15 + 7,8,40320 15 ). Until now no non-trivial 
Steiner t-design with t > 5 has been found. Highly 
regular examples have been proven not to exist (cf., 
e.g., [12]). We refer the reader to [2,9] for encyclopedic 
accounts of key results in combinatorial design theory. 
Various connections of t-designs with coding and in- 
formation theory can be found in a recent survey [14] 
(with many additional references therein). 

4 Constructions using Combinatorial 
Structures 

4.1 Equiprobablc Source Probability Distribution 

When the source states are known to be independent 
and equiprobablc, authentication systems which are 
(t — l)-fold secure against spoofing can be constructed 
via t-designs (cf. [10,22,26]). 

Theorem 5 (De Soete Schobi Stinson) Suppose 
there is a t-(v, k, A) design. Then there is an authen- 
tication system for k equiprobable source states, hav- 
ing v messages and A(j)/(J) encoding rules, that is 
(t— I) -fold secure against spoofing. Conversely, if there 
is an authentication system for k equiprobable source 
states, having v messages and \ f)/( t ) encoding rules, 
that is (t— l)-fold secure against spoofing, then there is 
a Steiner t-(v, k, 1) design. 

With a focus on optimal constructions, the above re- 
sult has been modified in [26] and generalized recently 
in [13] to include also the aspect of perfect secrecy. In 
particular, the first infinite classes of optimal perfect se- 
crecy systems that achieve twofold security have been 
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constructed in [13] as well as further optimal systems 
that offer 3- and 4-fold security against spoofing. We 
give in Table 1 all presently known optimal perfect se- 
crecy systems that are i-fold secure against spoofing 
with t > 1 under equiprobablc source probability dis- 
tributions. 



4.2 Arbitrary Source Probability Distribution 



ries with extremely large values of A — only a very 
small number of authentication perpendicular arrays 
APA\(t, k,v) known. These have been constructed via 
Theorem 3 or similar results using i-designs. All these 
APA A (t, k, v) have t < 8, and for t = 6 all have A > 24, 
for t = 7 all have A > 70, and for t = 8 all have A > 280. 
The two infinite series were constructed by Tran van 
Trung [31] and have parameters v > k, k = 2t resp. 
2t+l, and A = t! 2 (*7*)/6! resp. (t + l)i! 2 (°^)/6!. 



For arbitrary source probability distributions, basically 
two construction methods have been developed for per- 
fect secrecy systems that offer security against spoofing 
attacks (cf. [6,7,26,31]). These constructions inherently 
require larger numbers of encoding rules for achieving 
the same level of security. One of the two methods with 
the smaller number of encoding rules requires A(") en- 
coding rules when we want the perfect secrecy systems 
with k source states and v messages to be (t — l)-fold 
secure against spoofing (indeed, these systems achieve 
perfect t-fold secrecy), and is based on authentication 
perpendicular arrays APA\(t,k,v), cf. [26, Thm. 3.3]. 
For t > 6, there are — apart from two infinite se- 



Table 1 Optimal perfect secrecy systems from Steiner de- 
signs that are t-fold secure against spoofing attacks 



b = b op 



9 + 1 
q prime power 



9-1 
d > 2 even 



v(v — 1) 

fc(fc-l) 



1 (mod 6) 



v(v — 1) 
6 



v = 1 (mod 12) 



v(v-l) 
12 



v = l (mod 20) 



v(v — l) 
20 



9 + 1 
q prime power 



v(v— i)(i>— 2) 

fc(fe-l)(fe-2) 



d > 2 even 



2, 10 (mod 24) 



v(v — l)(v — 2) 
24 



_>(i 



260 



11 

23 
23 
47 
83 
71 
107 
131 
167 
243 



66 
253 
1,771 
35,673 
367,524 
194,327 
1,032,122 
2,343,328 
6,251,311 
28,344,492 



12 
84 
244 



132 
5,145,336 
1,152,676,008 



5 A General Construction Method &; 
Theoretical Point of View 

We present a construction method for designing per- 
fect secrecy systems that provide immunity to spoofing 
attacks under equiprobablc source probability distribu- 
tions. 

Theorem 6 Suppose there is a t-(v, k, A) design, where 
v divides the number of blocks b = A(")/( t ) . Then there 
is a perfect secrecy system for k equiprobable source 
states, having v messages and b encoding rules, that is 
(t — l)-fold secure against spoofing. Moreover, the sys- 
tem is optimal if and only if A = 1 . 



Proof Let V 
v divides b 



Ref. 



(A, B) be a t-(v,k, A) design, where 

k (t)/(t)" lt follows from Theorem 5 
that the system is (t — l)-fold secure against spoof- 
ing attacks. Thus, it remains to verify that the sys- 
tem also achieves perfect secrecy when we assume that 



[13f 



[isp 



[is; 



[13 



[13. 
[13 



P^ilie encoding rules are used with equal probability. By 
Lemma 1, this means that a given message must occur 
[13)n th the same frequency in each column of the result- 
[13|ng encoding matrix. This can be achieved by ordering 
ery block of T> in such a way that every point occurs 
each possible position in precisely b/v blocks. Since 
ery point occurs in exactly r = A(^~J)/(j~J) blocks 
I view of Lemma 3 (c), necessarily k must divide r. By 
nmma 3 (b), this is equivalent to saying that v divides 
- To show that the condition is also sufficient, we may 
: nsider the bipartite point-block incidence graph of T> 
r th vertex set X U £>, where {x, B) defines an edge if 
' 13 ki d only if x £ B for x € X and B 6 B. An ordering on 
t 13 e£ch block of T> can be obtained via an edge-coloring 
t 13 bf this graph using k colors in such a way that each 
[ 13 vcrtex B 6 B is adjacent to one edge of each color, 
t 13 ki d each vertex x <G X is adjacent to b/v edges of each 
[l 3 cclor. Technically, this can be achieved by first splitting 
[13fip each vertex x into b/v copies, each having degree 
[13fe, and then by finding an appropriate edge-coloring of 
[13jde resulting /c-regular bipartite graph using k colors. 
[13]V\ e can now take the ordered blocks as encoding rules, 
[13j5ach used with equal probability. Moreover, optimality 
occurs if and only if A = 1 in view of Theorem 2. □ 
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We note that the special case when A = 1 has been 
treated in [13, Thm. 6]. 

Using Theorem 4, we may constructively generate 
systems that can reach an arbitrary high level of secu- 
rity against spoofing. 

Theorem 7 For all integers t and v with v = t (mod 
(t + l)! 2t+1 ) and v > t + 1 > 0, there exists a perfect 
secrecy system for t + 1 equiprobable source states, hav- 
ing v messages and b = (t + l)! 2t i!(^) encoding rules, 
that is (t — \)-fold secure against spoofing. 

Proof For the given design parameters, the division prop- 
erty v | b holds: 

v | XjjJ- k(k - 1) • ■ • (k - t + 1) | X(v - 1) • • • (v - 1 + 1 
\t) 

^(t + 1)! | (t + iy. 2t+1 (v _ i) ...(„_ t + 1). 

Therefore, the claim follows by applying Theorem 6. 

□ 

6 Explicit Constructions (I): Onefold Immunity 

We give in this section very efficient constructions of 
new optimal systems that are onefold secure against 
spoofing. 

Theorem 8 If there exists a difference family 
DF(v,k,X) over a finite additive Abelian group G of 
order v, then there is a perfect secrecy system for k 
equiprobable source states, having v messages and b = 
Xv(v — l)/(fc 2 — k) encoding rules, that is onefold secure 
against spoofing. Moreover, the system is optimal if and 
only if X = 1 . 

Proof Let T = {D 1 , . . . , A} be a DF(u, k, X) over G. 
We shall need the two basic facts: 

• Since I = jgjgEi] is a positive integer, we have 
X(v - 1) = (mod k(k - 1)) (*). 

• Let Orbc(A) = {A+3 : 9 £ G} denote the G-orbit 
of Di. Then the union 

U 0rb c(A) 

forms the family of blocks of a 2-(v, k, X) design ad- 
mitting G as a group of automorphisms acting reg- 
ularly (i.e., sharply transitively) on the points and 
semiregularly on the blocks. 

Thus, by (*) and Lemma 3, we have v \ b, and the 
requirements for applying Theorem 6 arc fulfilled. □ 



Table 2 Perfect secrecy system from a cyclic difference family 
CDF(13,3, 1). 
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In particular, when J- = {Di,...,D{\ is a 
CDF(w, k, A), then a perfect secrecy system can be con- 
structed very efficiently due to the extremely simple 
form of its encoding matrix (cf. Table 2). We note that 
the special case when I = 1 in the above theorem has 
been considered in [26, Thm. 6.5 & Remark] . In this case, 
the respective cyclic difference set is a Singer difference 
set yielding a projective plane of prime power order as 
symmetric cyclic Stciner 2-design (i.e., v = b). We give 
an example of a perfect secrecy systems constructed via 
Theorem 8 based on a CDF(13, 3, 1). 

Example 2 A CDF(13, 3,1) has two base blocks D x = 
{0,1,4} and D 2 = {0,2,7}. The orbits of D x and D 2 
immediately form an encoding matrix as given in Ta- 
ble 2. The perfect secrecy system, having 3 equiproba- 
ble source states, 13 messages and 26 encoding rules, is 
optimal and offers onefold security against spoofing. 
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Example 3 The following infinite ((i)-(iii)) and finite 
((iv)-(v)) families of cyclic difference families 
CDF(g, k, 1) with q a prime power are known (cf. [8] 
and the references therein; [9]): 

(i) For k = 3, 4 and 5, respectively, a CDF(g, k, 1) exists 
for all prime powers q = 1 (mod k(k — 1)). 

(ii) A CDF(<7, 6, 1) exists for all prime powers q = 1 
(mod 30) with the exception q = 61. 

(iii) A CDF(<7, 7, 1) exists for all prime powers q = 1 
(mod 42) with the exception q = 43, and the pos- 
sible exceptions q = 127, 211, 31 6 as well a q <E 
[261239791, 1.236597 x 10 13 ] such that (-3)tt = 1 
in ¥ q . 

(iv) A CDF(<7,8, 1) exists for all prime powers q = 1 
(mod 56) < 10 4 , with the possible exceptions q = 
113, 169, 281, 337. 

(v) A CDF(g, 9,1) exists for all prime powers q = 1 
(mod 72) < 10 4 , with the possible exceptions q = 
289, 361. 

Hence, in all these cases a perfect secrecy system for 
k equiprobable source states, having q messages and 
q(q — l)/(k 2 — k) encoding rules, that is optimal and 
onefold secure against spoofing can be constructed very 
efficiently. 

7 Explicit Constructions (II): Multifold 
Immunity 

We construct in this section the first near-optimal sys- 
tems that are 5- and 6-fold secure as well as further 
systems with a feasible number of keys that are 7-fold 
secure against spoofing. Recall that number of encod- 
ing rules in Theorem 6 is A times the lower bound of 
Theorem 2. In order to construct perfect secrecy sys- 
tems with a high level of security against spoofing, we 
are therefore interested in i-designs with large t and 
small values of A. These designs must satisfy the divis- 
ibility condition v \ b — A(^)/(j) of Theorem 6. When 
2 < A < 10, we call such a system near-optimal. 

Relying on the Kramer-Mesner method [18], various 
i-designs with large t have been constructed in recent 
years under some prescribed groups of automorphisms 
(cf. [3-5, 17]). We give some examples related to our 
considerations. 

Example 4 A 6-(19, 7,4) design and three 6-(19,7, 6) 
designs have been constructed in [3] by prescribing the 
groups Hol(Cn)++ and Hol(Cig), respectively (where 
the + operator adds a fixed point to a permutation 
group). The only known two smaller 6-(14, 7, 4) designs 
have C13+ as a prescribed group of automorphisms, but 
do not satisfy our divisibility condition. The only known 



Table 3 Near-optimal perfect secrecy systems from 6- and 
7-designs that are 5- and 6-fold secure against spoofing at- 
tacks 



t 


k 


V 


b 


feopt 


Design Parameters 




7 


19 


4 x 6 opt 


3,876 


6-(19,7,4) 




7 


22 


8 x b opt 


10,659 


6-(22, 7,8) 


5 


7 


23 


4 x b opt 


14,421 


6-(23, 7, 4) 




7 


25 


6 x 6 opt 


25,300 


6-(25, 7,6) 




7 


32 


6 x 6 opt 


129,456 


6-(32, 7,6) 




8 


24 


8 x 6 op t 


43,263 


7-(24,8,8) 


6 


8 


26 


6 x b op t 


82,225 


7-(26, 8, 6) 




8 


33 


10 x 6 opt 


534,006 


7-(33, 8, 10) 



further 6-dcsign with A = 4 has parameters 6-(23, 7, 4), 
and is derived from the unique 7-(24, 8,4) design with 
PSL(2, 23) as a prescribed group of automorphisms. 

Example 5 There are 7-(24,8, A) designs admitting 
P5i(2,23) with possible values A = 4,..., 8. How- 
ever, only for A = 8 the divisibility condition is ful- 
filled. There exist 7-(26,8, 6) designs, which have been 
constructed with PGL(2, 25) as a prescribed group of 
automorphisms (cf. [3]). 

Example 6 The construction of 8-(31, 10, 100) designs 
has been established in [5] with PSL(3, 5) as a pre- 
scribed group of automorphisms. The only known 8- 
designs with smaller A are 8-(31, 10, 93) designs admit- 
ting PSL(3, 5) again, but do not satisfy the divisibility 
condition. 

We present in Table 3 all near-optimal perfect se- 
crecy systems that are 5- and 6-fold secure against spoof- 
ing under equiprobable source probability distributions. 
We give the parameters of the systems as well as of the 
respective designs. We also indicate the optimal number 
fropt of encoding rules with respect to Theorem 2. All 
presently known ^-designs with t > 5 and A < 10 have 
been considered. We generally remark that all known 
t-(v, k, A) designs with t > 5 have A > 4. Furthermore, 
three infinite series of 6-dcsigns are known, however, for 
each A increases rapidly. 

In Table 4, we give further perfect secrecy systems 
with a feasible number of encoding rules that are 7-fold 
secure against spoofing under equiprobable source prob- 
ability distributions. All presently known i-designs with 
t > 7 and A < 3,000 have been considered. 

We refer to the above references for further infor- 
mation on the respective designs. 

Remark 1 As indicated in Table 3, a perfect secrecy 
system, constructed from a 6-(23, 7, 4) design, with k = 7 
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Table 4 Some perfect secrecy systems from 8-designs that 
are 7-fold secure against spoofing attacks 



t 


k 


V 


b 


feo P t 


Design Parameters 




10 


31 


100 x 6 opt 


175,305 


8-(31, 10, 100) 




11 


27 


432 x 6 opt 


13,455 


8-(27, 11,432) 


7 


11 


36 


1,260 x 6 opt 


183,396 


8-(36, 11, 1260) 




11 


40 


1,440 x 6 opt 


466,089 


8- (40, 11, 1440) 




12 


27 


1,296 x 6 opt 


4,485 


8-(27, 12, 1296) 



cquiprobable source states and v = 23 messages that is 
5-fold secure against spoofing requires 57,684 encod- 
ing rules. A perfect secrecy system, constructed from 
a 6-(25, 7, 6) design, with k = 7 equiprobable source 
states and v = 25 messages that is 5-fold secure against 
spoofing requires 151,800 encoding rules. 

For comparison, a perfect (5-fold) secrecy system, 
constructed from an APAio(5, 6, 24), with k = 6 source 
states and v = 24 messages that offers 4-fold secu- 
rity against spoofing for an arbitrary source probability 
distribution requires 425,040 encoding rules. A perfect 
(5-fold) secrecy system, constructed from an 
APA 60 (5, 7, 24), with k = 7 source states and v = 24 
messages that is 4-fold secure against spoofing for an ar- 
bitrary source probability distribution requires 2,550,240 
encoding rules (cf. Subsection 4.2). 



8 Application to the Verification Oracle Model 

We will now consider the scenario, where the oppo- 
nent has access to a verification oracle (V-oracle). In 
this extended authentication model, we assume that 
the opponent is no longer restricted to passively ob- 
serving messages transmitted by the sender to the re- 
ceiver. The opponent may send a message of the oppo- 
nent's choice to the receiver and observe the receiver's 
response whether or not the receiver accepts it as au- 
thentic. This more powerful, pro-active attack scenario 
can be modeled in terms of a V-oracle that provides a 
response (accept or reject) to a query message in the 
same way as the message would be accepted or not 
by the legitimate receiver. This attack model was re- 
cently introduced in [1,21]. We recall and slightly ad- 
just the notation as far as it is necessary for our con- 
sideration. Further details on this model can be found 
in [1,21,29,30]. 

In [29], the two types of online and offline attacks 
are studied. In the online attack, the receiver is sup- 
posed to respond to each incoming query message, and 
thus the opponent is successful as soon as the receiver 



accepts a message as authentic. Thus, every query mes- 
sage is at the same time a spoofing message. In the of- 
fline attack, the query and the spoofing phase are sep- 
arated. First, the opponent makes all his queries to the 
oracle, and then uses this collected (state) information 
to construct a spoofing message. In both scenarios, the 
opponent is assumed to be adaptive. The online attack 
models an opponent's interaction with a verification or- 
acle such as an ATM machine, while in the offline attack 
the opponent may have captured an offline verification 
box. Often, the offline attack model is used as an in- 
termediate model for analyzing the online scenario. We 
speak in each scenario of a spoofing attack of order i in 
the V-oracle model if the opponent has access to i verifi- 
cation queries. The opponent's strategy can be modeled 
via probability distributions on the query set M. of ver- 
ification queries. The online deception probability P^ nllne , 
respectively offline deception probability Pf 1 '"', denotes 
the probability that the opponent can deceive the re- 
ceiver with a spoofing attack of order i. In [29], lower 
bounds on these deception probabilities have been ob- 
tained. 

Theorem 9 (Tonien Safavi-Naini Wild) In an au- 
thentication system with k source states and v mes- 
sages, the offline and online deception probabilities in 
the V-oracle model are bounded below by 



poffiine > _ md 

a, - y 



> 1 



('■' 

V l- 



respectively. 



Interestingly, it furthermore follows that 



P. 



= - if and only if P%. 



\i+u 



Thus, an authentication system that attains the 
bound in the offline attack is the same as in the online 
attack, and vice versa. Clearly, P^' fline is independent of 
i. If the bound for p° nllne is satisfied with equality, then 
also the bound for P°T''"° is satisfied with equality for 
i > 1 (cf. [29]). Hence, we call a system t-fold secure 
against spoofing in the V-oracle model if p° ffllne = ^ or, 

fv-k\ 

/t\ ■ The notation of per- 

(t+i) 

feet secrecy holds as given in Section 2. An analogue 
to Theorem 2 has been derived in [29] for the V-oracle 
model. 

Theorem 10 (Tonien Safavi-Naini Wild) // an 

authentication system is (t—l)-fold secure against spoof- 
ing in the V-oracle model, then the number of encoding 
rules is bounded below by 



equivalently, P°^'" e 



1 



b > 
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Again, we call a system optimal when the lower 
bound holds with equality. For equiprobable source 
states, optimal authentication systems which are (t— 1)- 
fold against spoofing in the V-oraclc model have been 
characterized in [29]. We give the result in a slightly 
more generalized form, which can easily be obtained 
from the original proof. 

Theorem 11 (Tonien— Safavi-Naini— Wild) Suppose 
there is a t-(v, k, A) design. Then there is an authen- 
tication system for k equiprobable source states, hav- 
ing v messages and A • (j)/( t ) encoding rules, that is 
(t — I) -fold secure against spoofing in the V-oracle model. 
Conversely, if there is an authentication system for k 
equiprobable source states, having v messages and (^) /(.) 
encoding rules, that is (t — l)-fold secure against spoof- 
ing in the V-oracle model, then there is a Steiner 
t-(v, k, 1) design. 

We will apply now Theorem 6 to construct perfect 
secrecy systems that provide a high level of security 
against spoofing in the V-oracle model for equiprob- 
able source probability distributions. This generalizes 
the result [16, Thm. 3.27], where the case A = 1 has 
been treated. 

Theorem 12 Suppose there is a t-(v, k, A) design, where 
v divides the number of blocks b = A( T\ / (J) . Then there 
is a perfect secrecy system for k equiprobable source 
states, having v messages and b encoding rules, that 
is (t — l)-fold secure against spoofing in the V-oracle 
model. Moreover, the system is optimal if and only if 
A = 1. 

Proof By Theorem 11, the system is (t — l)-fold secure 
against spoofing in the V-oracle model. Under the as- 
sumption that the encoding rules are used with equal 
probability, we may proceed as in the proof of Theo- 
rem 6 to verify that the system also achieves perfect 
secrecy. With respect to Theorem 10 optimality is ob- 
tained if and only if A = 1. □ 

Clearly, Theorem 7 can also be applied to the V- 
oracle model. 

Theorem 13 For all integers t and v with v = t (mod 
(t+ l)! 2t+1 ) and v > t + 1 > ; there exists a perfect se- 
crecy system fort +1 equiprobable source states, having 
v messages and b = (t + l)! 2t i!(j) encoding rules, that 
is (t — l)-fold secure against spoofing in the V-oracle 
model. 

All the results in Section 6 and Section 7 may be 
transferred accordingly. 



9 Conclusion 

We have given novel perfect secrecy systems that pro- 
vide immunity to spoofing attacks under equiproba- 
ble source probability distributions. Our construction 
method generalized in a natural manner the approach 
in [13] and allowed us to use i-designs instead of merely 
Steiner ^-designs in the construction process. From a 
theoretical point of view, we have shown that based on 
Tcirlinck's existence result for t-designs, perfect secrecy 
systems can be generated that can reach an arbitrary 
high level of security. Concerning explicit constructions, 
we have obtained, via cyclic difference families, very ef- 
ficient constructions of new optimal systems that arc 
onefold secure against spoofing. By using t-designs for 
large values of t, we have also presented the first near- 
optimal systems that are 5- and 6-fold secure as well as 
further systems with a feasible number of keys that are 
7-fold secure against spoofing. Previous constructions of 
multifold secure systems had been known only for arbi- 
trary source probability distributions, which inherently 
result in larger numbers of encoding rules for achieving 
the same level of security. We have furthermore applied 
our results to a recently extended authentication model, 
where the opponent has access to a verification oracle. 
Novel perfect secrecy systems with immunity to spoof- 
ing in the verification oracle model have been obtained 
this way. 
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